To: 


Of: 


ICO. 


Information Commissioner's Office 


DATA PROTECTION ACT 2018 
(PART 6, SECTION 149) 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 
ENFORCEMENT NOTICE 


DATED: 12 January 2022 


The Ministry of Justice 


102 Petty France 
London 
SW1H 9AJ 


The Ministry of Justice (the “MoJ”) is a “controller” as variously defined in 
sections 3(6), 5 and 6 of the Data Protection Act 2018 (“DPA”) and Articles 
4(7) of the General Data Protection Regulation (“EU GDPR”) and Retained 
General Data Protection Regulation (as amended) (“UK GDPR”)?. The 
controller is a ministerial department of government of the United Kingdom. 


It processes personal data in the course of carrying out its functions. 


The Commissioner has decided to issue the controller with an Enforcement 
Notice under section 149 DPA. The Notice is in relation to contraventions of 
Article 15 of the EU and UK GDPR, and Part 3, Chapter 3 of the DPA. This 
Notice is accordingly issued under section 149(2)(b) DPA. 


This Notice explains the Commissioner’s decision. 


1 A number of the subject access requests in issue for the purposes of this Preliminary Enforcement 
Notice were made between 25 May 2018 and 31 December 2020 when the EU GDPR applied in the United 
Kingdom. Following the end of the transition period provided for under the EU-UK Withdrawal Agreement, 
i.e., since 1 January 2021, the UK GDPR has applied in the United Kingdom. 
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Legislative Framework 


4. The DPA contains enforcement provisions in Part 6 which are exercisable by 


the Commissioner. 
5; Section 149 DPA materially provides: 


"(1) Where the Commissioner is satisfied that a person has failed, or is 
failing, as described in subsection (2), (3), (4) or (5), the 
Commissioner may give the person a written notice (an “enforcement 
notice”) which requires the person— 

(a) to take steps specified in the notice, or 

(b) to refrain from taking steps specified in the notice, 

or both (and see also sections 150 and 151). 


(2) The first type of failure is where a controller or processor has failed, 
or is failing, to comply with any of the following— 

(a)... 

(b) a provision of Articles 12 to 22 of the GDPR or Part 3 or 4 of 


this Act conferring rights on a data subject; 


(c) 7 
(d) ..; 
(e) 0% 


(6) An enforcement notice given in reliance on subsection (2), (3) or 
(5) may only impose requirements which the Commissioner considers 


appropriate for the purpose of remedying the failure.” 


6. Section 150 DPA materially provides: 
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"“(1) An enforcement notice must— 


(a) state what the person has failed or is failing to do, and 


(b) give the Commissioner’s reasons for reaching that opinion. 


(2) In deciding whether to give an enforcement notice in reliance on 
section 149(2), the Commissioner must consider whether the failure 


has caused or is likely to cause any person damage or distress. 


(3) In relation to an enforcement notice given in reliance on section 
149(2), the Commissioner’s power under section 149(1)(b) to require a 
person to refrain from taking specified steps includes power— 
(a) to impose a ban relating to all processing of personal data, or 
(b) to impose a ban relating only to a specified description of 
processing of personal data, including by specifying one or more 
of the following— 
(i) a description of personal data; 
(ii) the purpose or manner of the processing; 
(iii) the time when the processing takes place. 


(4) An enforcement notice may specify the time or times at which, or 
period or periods within which, a requirement imposed by the notice 


must be complied with (but see the restrictions in subsections (6) to 


(8)).” 


Chapter 3 of the EU and UK GDPR makes provision for the rights afforded to 
data subjects. These include the rights of subject access, rectification, 


erasure and restriction of processing. 


Specifically Chapter 3, Article 15 of the UK GDPR materially provides: 
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"“(1) the data subject shall have the right to obtain from the controller 


confirmation as to whether or not personal data concerning him or her 


are being processed, and, where that is the case, access to the 


personal data and the following information: 


(a) 
(b) 
(c) 


(d) 


(e) 


(f) 
(g) 


(h) 


the purposes of the processing; 

the categories of personal data concerned; 

the recipients or categories of recipient to whom the 
personal data have been or will be disclosed, in particular 
recipients in third countries or international organisations; 
where possible, the envisaged period for which the 
personal data will be stored, or, if not possible, the criteria 
used to determine that period; 

the existence of the right to request from the controller 
rectification or erasure of personal data or restriction of 
processing of personal data concerning the data subject or 
to object to such processing; 

the right to lodge a complaint with a supervisory authority; 
where the personal data are not collected from the data 
subject, any available information as to their source; 

the existence of automated decision-making, including 
profiling, referred to in Article 22(1) and (4) and, at least in 
those cases, meaningful information about the logic 
involved, as well as the significance and the envisaged 


consequences of such processing for the data subject. 


(3) the controller shall provide a copy of the personal data undergoing 


processing. For any further copies requested by the data subject, the 


controller may charge a reasonable fee based on administrative costs. 


Where the data subject makes the request by electronic means, and 
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10. 


11. 


12. 


13. 


14. 
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unless otherwise requested by the data subject, the information shall 


be provided in a commonly used electronic form. 


“a 


For the purpose of this Enforcement Notice, there is no material difference 
between Article 15 of the UK GDPR and Article 15 of the EU GDPR. 


Chapter 3, Article 23 of the EU and UK GDPR sets out the restrictions which 
may apply to the scope of the obligations and rights provided for in Article 
15. 


Part 3 of the DPA concerns Law Enforcement Processing. 
Section 29(1) DPA states that Part 3 applies to: 


(a) the processing by a competent authority of personal data 
wholly or partly by automated means, and 

(b) the processing by a competent authority otherwise than by 
automated means of personal data which forms part of a filing 


system or is intended to form part of a filing system.” 


The controller in this instance is a “competent authority” as defined under 


Schedule 7, Paragraph 1. 
Section 45 of the DPA provides that: 
“(1) A data subject is entitled to obtain from the controller— 


(a) confirmation as to whether or not personal data concerning 


him or her is being processed, and 
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(b) where that is the case, access to the personal data and the 


information set out in subsection (2). 


(2) That information is— 
(a) the purposes of and legal basis for the processing; 
(b) the categories of personal data concerned; 
(c) the recipients or categories of recipients to whom the 
personal data has been disclosed (including recipients or 
categories of recipients in third countries or international 
organisations); 
(d) the period for which it is envisaged that the personal data will 
be stored or, where that is not possible, the criteria used to 
determine that period; 
(e) the existence of the data subject's rights to request from the 
controller— 
(i) rectification of personal data (see section 46), and 
(ii) erasure of personal data or the restriction of its 
processing (see section 47); 
(£) the existence of the data subject's right to lodge a complaint 
with the Commissioner and the contact details of the 
Commissioner; 
(g) communication of the personal data undergoing processing 


and of any available information as to its origin. 


(3) Where a data subject makes a request under subsection (1), the 
information to which the data subject is entitled must be provided in 
writing — 

(a) without undue delay, and 

(b) in any event, before the end of the applicable time period (as 


to which see section 54). 


© 
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(4) The controller may restrict, wholly or partly, the rights conferred by 
subsection (1) to the extent that and for so long as the restriction is, 
having regard to the fundamental rights and legitimate interests of the 
data subject, a necessary and proportionate measure to— 
(a) avoid obstructing an official or legal inquiry, investigation or 
procedure; 
(b) avoid prejudicing the prevention, detection, investigation or 
prosecution of criminal offences or the execution of criminal 
penalties; 
(c) protect public security; 
(d) protect national security; 


(e) protect the rights and freedoms of others. 


(5) Where the rights of a data subject under subsection (1) are 
restricted, wholly or partly, the controller must inform the data subject 
in writing without undue delay— 
(a) that the rights of the data subject have been restricted, 
(b) of the reasons for the restriction, 
(c) of the data subject's right to make a request to the 
Commissioner under section 51, 
(d) of the data subject's right to lodge a complaint with the 
Commissioner, and 
(e) of the data subject's right to apply to a court under section 
167. 


(6) Subsection (5)(a) and (b) do not apply to the extent that the 
provision of the information would undermine the purpose of the 


restriction. 


(7) The controller must— 
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(a) record the reasons for a decision to restrict (whether wholly 
or partly) the rights of a data subject under subsection (1), and 


(b) if requested to do so by the Commissioner, make the record 


available to the Commissioner 


Background of the case 


15. 


16. 


17. 


18. 


The controller had previously, on 21 December 2017, been issued with an 
Enforcement Notice following a finding by the Commissioner that it had failed 
to comply with a large number of subject access requests / SARs without 
undue delay, and in contravention of its obligations under section 7 of the 
Data Protection Act 1998 as was in effect. The controller complied with the 


terms of the Notice within the timeframes stipulated. 


On 7 January 2019 the Commissioner was made aware by the controller that 
a backlog of subject access requests had again accrued. The Commissioner 
engaged in conversations and correspondence with the controller over the 
following year, during which time the Commissioner considered whether 
formal enforcement action in respect of the latest backlog would be 


appropriate. 


In March 2020, the coronavirus pandemic led to a shift in the Commissioner’s 
approach to regulatory action, and the investigation into the controller was 


temporarily paused. 


On 20 October 2020 the controller contacted the Commissioner to provide an 
update as to its processing of subject access requests. It was explained that 
the pandemic had affected the controller’s operations, and those of ii 
EE Upon which the controller 
was reliant for the provision of information, but that it had sought to 


prioritise and process some subject access requests where the request had 
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20. 


21. 


22. 
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been in relation to “urgent matters”, i.e. legal proceedings, immigration 


hearings, or police investigations. 


Contact between the Commissioner and the controller resumed in March 
2021, and on 16 April 2021 the Commissioner was advised that, as of 31 
March 2021, the controller had 5,956 subject access requests outstanding to 
which it had only partially responded, with 372 of those dating back to 2018. 


The Commissioner met with the controller on 26 April 2021 to discuss the 
issue of the outstanding subject access requests, and requested that the 


controller continued to provide regular updates as to its backlog. 


In a subsequent update on 18 May 2021 the Commissioner was advised that 
the number of subject access requests which had been only partially 
responded to had risen to 6,398. The controller advised that “/it/ 
anticipate[s] resuming a full SAR service for all new SARs from 
summer/autumn 2021 providing there is no reintroduction of previous or new 
COVID-19 restrictions”. 


On 27 August 2021, in response to a series of queries from the 
Commissioner, the controller provided a further update in which it confirmed 
that as of 16 August 2021 there were 7,753 “overdue SARs”, comprising 25 
requests which had received no response, and 7,728 requests which had 


received only a partial response. 


In terms of timeframes for responding to the subject access requests, the 
controller explained that it is “anticipating that the ~960 SARs that were out- 
of-time before the COVID-19 pandemic will be responded to in full by 31 May 


2022 Se. Ve will learn from this first phase of 


tackling the cases that have received a partial response and will then move 
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forward with plans to revisit the remaining 6,772 partial response cases in 


the timeliest way achievable”. 


24. The controller also explained that it expects to respond to the 25 requests 


that have not received any data by 31 December 2021. 


25. The Commissioner understands that the process of providing a partial 
response to subject access requests was introduced during the pandemic, 


and has been applied solely to requests received from ‘offenders’. 


26. The Commissioner asked the controller to provide an explanation of what a 
data subject would receive when receiving a ‘partial response’. The controller 


explained that: 


"A limited SAR service was implemented where requestors were initially 
provided with a copy of their personal information held on the nan i 
a ich the EE team could access 
directly, without adding a burden co i Requestors were advised of the 
reasons why the information held on — was all that could be provided 
when their SAR was acknowledged. They were also reminded that they had 
other access routes to their information via their Mee a, without 
the need to make a SAR as well as being informed that they could submit a 


further SAR after the pandemic passed. 


From November 2020 the limited SAR service was extended to include 
information from the BE oii a 
N: 


telephone call recordings. As a result of this, SARs received from this 


? subject access requests received by the controller are separated into subject access requests from ‘offenders’ (the 
Controller’s online ‘personal information charter’ [Personal information charter - Ministry of Justice - GOV.UK 
(www.gov.uk)] suggests that this category includes ‘offenders and ex-offenders including prisoners’), and ‘non- 
offenders’ (i.e. MoJ staff and members of the public) 
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date have received all offender information held except the main core 


file, which is held in hard copy format. 


The [team which deals with ‘offender SARs‘] resumed a full SAR service for 


all offender requests received from 1 August 2021”. 


The controller confirmed that between 1 April 2020 and 30 June 2021 it had 
received 34 complaints from data subjects concerning the partial response, 


or non-response, to their subject access requests. 


The controller has notified the Commissioner throughout the investigation, 
including most recently in its update of 27 August 2021, that in dealing with 
subject access requests it is dependent on the provision of manual and 
electronic information from sites, however operational 
capacity has been limited by the restrictions imposed during the pandemic, 
and this in turn has affected the controller’s ability to process and respond to 
subject access requests. 


The Commissioner acknowledges these difficulties; the Commissioner also 
acknowledges the co-operation of the controller with his investigation, and 
the efforts which it has made to comply with its statutory duties in respect of 


subject access requests during a pandemic. 


However, the substantial number of subject access requests which remain 
outstanding and which are out of time for compliance is a cause of significant 
concern for the Commissioner. These concerns demonstrate that the 
controller is currently failing to adhere to its obligations in respect of the 
information rights of the data subjects for whom it processes data. Previous 
meetings and correspondence between the controller and Commissioner have 
proven largely ineffective in reducing the number of outstanding subject 


access requests. 
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The Contravention 


3i. 


32. 


In light of the above, the Commissioner is of the view that the controller has 
contravened Chapter 3, Article 15 of the EU and UK GDPR in that it has failed 
to inform the relevant data subjects referred to at paragraph 22, without 
undue delay, whether their personal data is being processed by or on behalf 
of the controller and, where that is the case, has failed without undue delay 
to provide access, in an intelligible form, to such personal data, and to the 
information as set out at Article 15(1) of the EU and UK GDPR. 


Moreover, to the extent that the processing involves law enforcement 
processing, the Commissioner is of the view that the controller has 
contravened section 45 of the DPA in that it has failed to inform the relevant 
data subjects referred to at paragraph 22, without undue delay, whether 
their personal data is being processed by or on behalf of the controller and, 
where that is the case, has failed without undue delay to provide access, in 
an intelligible form, to such personal data, and to the information as set out 
at section 45(2) of the DPA. 


Issue of the Notice 


33. 


The Commissioner has considered, as he is required to do under section 
150(2) DPA when considering whether to serve an Enforcement Notice, 
whether any contravention has caused or is likely to cause any person 
damage or distress. The Commissioner takes the view that damage or 
distress is likely as a result of the data subjects whose subject access 
requests are outstanding being denied the opportunity of properly 
understanding what personal data may be being processed about them by 
the controller; furthermore they are unable to effectively exercise the various 


other rights statutorily afforded to a data subject in respect of that data. 
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Having regard to the significant level of the contravention, the Commissioner 
considers that an Enforcement Notice would be a proportionate regulatory 


step to bring the controller into compliance. 


Terms of the Notice 


35. 


36. 


37. 


In view of the above, the Commissioner has decided to exercise his powers 
under section 149(2)(b) DPA to serve an Enforcement Notice requiring the 
controller to take the specified steps to comply with the legislation. The 


terms of the Notice are set out in Annex 1 of this Notice. 


Separately, the controller is advised to develop a recovery plan, containing 
details of how it intends to remedy the issue of the out-of-time subject 


access requests. 


The controller would also be advised to take appropriate steps to ensure that 
the current and prospective data subjects who make subject access requests 
are aware of any delays in operational practice that may affect their 


statutory rights. 


Consequences of failing to comply with an Enforcement Notice 


38. 


If a person fails to comply with an Enforcement Notice the Commissioner 
may serve a penalty notice on that person under section 155(1)(b) DPA 
requiring payment of an amount up to £17,500,000 or 4% of an 


undertaking’s total annual worldwide turnover whichever is the higher. 
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Right of Appeal 


39. 


40. 


By virtue of section 162(1)(c) DPA there is a right of appeal against this 
Notice to the First-tier Tribunal (Information Rights). If an appeal is brought 
against this Notice, it need not be complied with pending determination or 
withdrawal of that appeal. Information about the appeals process may be 


obtained from: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LEi 8DJ 


Telephone: 0203 936 8963 


Email: grc@justice.gov.uk 


Any Notice of Appeal should be served on the Tribunal within 28 calendar 


days of the date on which this Notice is sent. 


Dated the 12t" day of January 2022. 


Suzanne Gordon 

Director of Public Advice and Data Protection Complaints 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 


TERMS OF THE ENFORCEMENT NOTICE 


THIS NOTICE REQUIRES THE CONTROLLER TO TAKE THE FOLLOWING 
STEPS: 


1) By no later than 31 December 2022, to have informed the 7,753 
data subjects referred to at paragraph 22, who have made a subject 
access request, whether or not the controller is processing personal 
data concerning that data subject, and if so provide that data subject 
with a copy of their data, subject only to the proper application of any 
exemption from, or restriction or adaptation of, the right of subject 
access provided for in or by virtue of the EU or UK GDPR or DPA. 
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Furthermore, by 31 December 2022 at the latest, the controller is 
to carry out such changes to its internal systems, procedures and 
policies as are necessary to ensure that future subject access 
requests received by the controller, in respect of it, are identified 
and complied with in accordance with Article 15 of the UK GDPR, 
subject only to the proper application of any exemption from, or 
restriction or adaptation of, the right of subject access provided for 
in or by virtue of the UK GDPR or DPA. 


3) The controller should continue to use its best endeavours to surpass 


the milestones referred to in paragraphs 1) and 2) above. 


